Windows driveby attack on aeronautical website may be state sponsored

The website of a European aeronautical parts supplier was infected with an exploit that uses an unpatched Windows vulnerability to execute malicious code on end users' computers, researchers from antivirus provider Sophos said.

The active exploit of an XML Core Services package in all supported versions of Windows, which Ars reported last week, allowed people to become infected simply by visiting the unnamed site using Microsoft's Internet Explorer browser. Researchers with the firm said the exploit was planted on the site by "cybercriminals" who first managed to compromise its security.

"We know that a hacker who manages to plant malicious code on the website of, say, a company which supplies aeronautical parts may reasonably predict that staff at a larger organization—such as an arms manufacturer or defense ministry—might have reason to access the site," they wrote in a blog post. "Once the hackers have placed their malicious code on the supplier's website, they would simply wait for notification that their code has run on either the big company's network or a larger supplier further up the chain."

Microsoft has provided a temporary fix for the vulnerability that all Windows users should apply whether or not they use IE as their browser of choice. Most antivirus products have added signatures to detect and block exploits. The aeronautical parts supplier, which Sophos declined to name, has since removed the infection from its website.